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© On-line/off-line digital signing. 



^© A method for "on-line/off-line" digital signing is described and begins by pre-computing a data string x from 
^a pair of matching public and secret keys of a digital signature scheme such that, for any message m later 

selected to be signed, a signature of m derived from x can be computed substantially faster than the signature 
2 of m derived from the matching public and secret keys. After a message m is selected to be signed, the method 
S computes a signature a of the message m using the data string x. Because the method uses a two-stage 
m approach to sign a message, the technique can be advantageously used to enhance the security of known digital 

signature schemes or to effect transaction processing using "smart" cards. 
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ON-LINE/OFF-LINE DIGITAL SIGNING 



The present invention relates generally to message encoding techniques and more particularly to a new 
technique for generating digital signatures which enhances the security and the efficiency of known 
signature schemes. 

Digital signature schemes are well-known in the prior art. In a conventional signature scheme, each user 

5 publishes a public key while keeping a secret key. The user's signature for a message m is a value a which 
can be efficiently computed with knowledge of the secret key and then verified by anyone using only the 
known public key. It is hard to forge the user's signature, however, without knowledge of the secret key. 
One such digital signature scheme is the so-called Rabin scheme wherein a user U publishes a composite 
number n U( a product of 2 primes, as his public key, and keeps nu's prime factorization as his secret key. 

w The signature of a message m (an integer between 1 and n u and relatively prime with ny) is then computed. 
If m is a square modulo n Uf then its signature is a = Vrnrnod n 0 . If m is not a square, its signature is a pair 
(r, s), where a = *Jm r r~mod n u and r is a few-bit random number, so that m*r is a square mod n Ut In 
Rabin's scheme, as in all currently known digital signature schemes, signing is feasible, though not always 
efficient, when the length of the public and secret keys are large. 

rs It is also known in the prior art that of the various kinds of attacks that can be mounted by a forger 
against a signature scheme, the most general is an adaptive chosen plaintext attack. In this type of attack, 
the forger uses the signer to obtain sample signatures of messages of the forger's choice. The forger s 
choices are made dependent on the public key and on signatures returned by the user in response to the 
forger's previous requests. The knowledge gained by the forger can then be used to forge a signature of a 

20 message not previously signed or, at worst to determine the secret key itself. Rabin's scheme, described 
above, is totally unsecure against an adaptive chosen plaintext attack. 

In many applications; e.g., using an so-called "smart" or intelligent card to effect commercial transac- 
tions, it would be desirable and necessary to be able to generate a digital signature immediately after a 
message has been chosen. However, because all currently-available signature schemes only compute the 

25 signature after selection of the message, digital signing techniques are not presently useful for such real- 
time applications. One method to overcome this problem would be to use more efficient computational 
techniques, however, such techniques are prohibitively expensive. Alter natively, the signer must be willing 
to compute and store the signature of all possible messages before the signing of individual messages 
takes place. This approach is also impractical. 

30 It would therefore be desirable to have a new approach to digital signing which overcomes these and 
other problems associated with prior art techniques. 

BRIEF SUMMARY OF THE INVENTION 

35 

It is an object of the present invention to describe a novel digital signature technique wherein some 
portion of the message signing routine is carried out "off-line," namely, before the message itself has been 
chosen. 

It is a further object of the invention to provide a method that transforms any ordinary digital signature 
40 scheme to one that exploits off-line pre-processing to thereby strengthen the scheme against a chosen 
plaintext attack. 

It is yet another object of the present invention to provide a digital signature schemes in which the 
signing of a message is broken into two phases. The first or "off-line" phase requires a moderate amount of 
computation but it presents the advantage that it can be performed leisurely, before the message to be 
45 signed is known. Because the message to be signed is not yet chosen, such a computation is, in effect, a 
"generic" one. The second phase is the so-called "on-line" phase which starts after the message is known 
and, by cleverly utilizing the "generic computation" of the off-line phase, is much faster than prior art 
approaches. 

It is still a further object of the invention to provide a method for transforming a known digital signature 
so scheme in such a manner that the transformed scheme is invulnerable to chosen plaintext attack even if the 
underlying scheme is not. 

These and other objects of the invention are provided in a method for enabling a single signer to 
generate a digital signature of a message using first and second digital signature schemes, each of the 
digital signature schemes having a key generation algorithm for generating a pair of matching public and 
secret keys, a signing algorithm which uses the pair of matching public and secret keys to produce a 
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signature with respect to the public key, and a verification algorithm for determining whether the signature 
produced by the signing algorithm is valid with respect to the public key. Generally, the method comprises 
two (2) basic steps: (a) computing a signature E of the public key pk of the first digital signature scheme 
using the signing algorithm S of the second digital signature scheme, and (b) computing a signature a of 

5 the message using the signing algorithm s of the first digital signature scheme to generate a digital 
signature of the message "m", the digital signature comprising a data string (E,a). 

Preferably, the first digital signature scheme is a so-cailed "one-time- scheme which is essentially 
guaranteed to be secure as long as it is used to sign substantially no more than one message. Therefore, 
as each new message is selected for signing, preferably a new one-time digital signature scheme is used. 

10 Moreover, if desired the signer may enrich (i.e., add to) and/or hash (i.e., decrease the length of) the public 
key pk and/or the message to create an "enriched" and/or "hashed" public key or message in connection 
with performing the signature computations. For example, the signer can enrich the message with a data 
string (comprising the public key pk, a hashed version of the public key pk, a hashed version of the public 
key pk enriched with a data string, the signature E, data identifying the signer, data identifying the date of 

75 signing, other data or no data) to create an enriched message. Thereafter, the signer may also apply a 
predetermined differentiating function H to the enriched message prior to computing the signature a. 
Likewise, the signer may enrich the public key with a data string to create an enriched public key prior to 
computing the signature E. 

In another method of the invention, a signer runs the key generation algorithm g of a preferably one- 

20 time digital signature scheme to generate a plurality of public keys and their associated secret keys. The 
signer then computes a signature E of the plurality of public keys of the first digital signature scheme using 
the signing algorithm S of the second digital signature scheme. A data string, comprising a pre-computed 
signature which includes the signature E of the plurality of public keys of the first digital signature scheme, 
is then stored to complete an "off-line" phase. After a message m is selected to be signed, the signer uses 

25 a predetermined differentiating function H to map the message into a data string H(m) and then computes a 
signature a of the data string H(m) with respect to one of the public keys pk of the first digital signature 
scheme using the signing algorithm s of the first digital signature scheme. The "on-line" phase is 
completed by compiling a data string (E,a) representing a signature of the message m. To increase the 
speed of the off-line phase, the signer may hash the plurality of public keys prior to-computing the 

30 signature E. If so, the data string representing the signature of the message will include the plurality of 
public keys or other data to enable verification. 

In accordance with yet a further feature of the invention, a method is described for enhancing the 
security of a known digital signature scheme which may be subject to an adaptive chosen plaintext attack, 
the known digital signature scheme having a key generation algorithm G for generating a pair of matching 

35 public and secret keys (PK.SK), a signing algorithm S which uses the pair of matching public and secret 
keys to produce a signature with respect to the public key PK, and a verification algorithm V for determining 
whether the signature produced by the signing algorithm is valid with respect to the public key PK. 
According to this method, a key generation algorithm g of a one-time digital signature scheme is run to 
generate a one-time public key pk and its associated one-time secret key sk. This step is equivalent to the 

40 signer selecting a one-time secret key and then computing the matching one-time public key therefrom. 
Thereafter, the method computes a signature E of the public key pk of the one-time digital signature 
scheme using the signing algorithm S of the known digital signature scheme. A pre-computed signature, 
which includes at least the signature E of the public key pk of the one-time digital signature scheme, or 
sufficient data to quickly compute it, is then compiled and stored. This completes a so-called "off-line" 

45 phase of the method. In the "on-line" phase, a message m to be signed is selected. Then, a predetermined 
differentiating function H is used to map the message into an enriched message, and a signature o of the 
enriched message is computed using the signing algorithm s of the one-time digital signature scheme. To 
complete the on-line phase, the signer compiles a data string (E f a) representing a signature of the message 
m. 

so In another embodiment of the invention, a method for on-line/off-line digital signing begins by pre- 
computing a data string x from a pair of matching public and secret keys of a digital signature scheme such 
that, for any message m later selected to be signed, a signature of m derived from x can be computed 
substantially faster than the signature of m derived from the matching public and secret keys. After a 
message is selected to be signed, the method computes a signature a of the message using the data string 

55 x. The pre-computation and signature computation steps may be carried out by the same signer or by 
different signers. 

Because the on-line phase preferably uses a "one-time" digital signature scheme, a further feature of 
the invention is the provision of a unique method for generating a one-time digital signature of a message 
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ready to be signed. This method begins by selecting a predetermined one-way function f and generating k 
randomly-selected input strings as a one-time secret key, where the number of input strings k is less than 
the length n of the message m. Thereafter, the signer applies the one-way function f to the input strings of 
the one-time secret key to generate a one-time public key corresponding to the one-time secret key. To 

5 complete the scheme, the signer then applies the one-way function f to the input strings of the secret key a 
predetermined number of times x, where x is polynomial in n, to generate a one-time signature of the 
message relative to the one-time public key. 

The on-line/off-line digital signature scheme is useful for a number of practical applications. One such 
application is transaction processing using an "intelligent" credit card or the like. In accordance with a 

10 further feature of the invention, a system for allowing authorized users of intelligent cards to effect 
transactions via at least one transaction terminal is also described. This system includes a plurality of 
intelligent cards, a loading terminal, and at least one transaction terminal. Each of the cards has a memory 
for storing a data string x pre-computed (by the loading terminal) from a pair of matching public and secret 
keys of a digital signature scheme such that, for any message m later selected to be signed, a signature of 

75 m derived from x can be computed substantially faster than the signature of m derived from the matching 
public and secret keys. Each card further includes means for computing a signature a of the message m 
using the data string x. The transaction terminal preferably includes means for receiving a card inserted into 
the transaction terminal, means for communicating with the card inserted into the terminal and means for 
receiving the signature a of the message m computed by the card. Alternatively, the transaction terminal 

20 may communicate with the card over a communications channel such as a telephone line which may be 
made cryptographically secure if desired. 

The foregoing has outlined some of the more pertinent objects of the present invention. These objects 
should be construed to be merely illustrative of some of the more prominent features and applications of 
the invention. Many other beneficial results can be attained by applying the disclosed invention in a 

25 different manner of modifying the invention as will be described. Accordingly, other objects and a fuller 
understanding of the invention may be had by referring to the following Detailed Description of the preferred 
embodiment. 

For a more complete understanding of the present invention and the advantages thereof, reference 
should be made to the following Detailed Description taken in connection with the accompanying drawings 
30 in which: 

FIGURE 1 is a flowchart of an on-line/off-line digital signature scheme according to the present 
invention; 

FIGURE 2 is a detailed flowchart diagram showing the preferred embodiment of the on-line/off-line 
scheme of FIGURE 1 in accordance with the present invention; 
35 FIGURE 3 is a schematic diagram of a transaction processing system according to the invention for 

use in effecting transactions by exploting the on-line/off-line digital signing techniques of FIGURE 1; and 

FIGURE 4 is a flowchart diagram showing a preferred one-time signature scheme according to the 
teachings of the invention; 

Similar reference characters refer to similar steps throughout the several methods shown in the 
40 drawings. 



DETAILED DESCRIPTION 

45 A prior art digital signature scheme generally has the following components: 

* An efficient key generation algorithm G which can be used by any user U to produce a pair (PK, SK) of 
matching public and secret keys; stated differently, a method for selecting a secret key and computing a 
matching public key therefrom. 

* An efficient signing algorithm S which, given a message m and a pair (PK,SK) of matching public and 
so secret keys, produces a signature s of m with respect to PK. 

* An efficient verification algorithm V which, given s, m, and PK, tests whether s is a valid signature for the 
message m with respect to the public key PK. 

Such prior art schemes are enhanced according to the invention by preprocessing in a so-called on-line/off- 
iine manner. In particular, an on-line/off-iine digital signature scheme is one in which the signing of a 
55 message is broken into two phases. The first phase is "off-line". While the off-line phase requires a 
reasonable amount of computation, it presents the advantage that it can be performed leisurely, before the 
message to be signed is known. As the message to be signed is not yet chosen, such a computation is in 
effect a "generic" one. The second phase is "on-line". It starts after the message is known and, by cleverly 
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utilizing the "generic computation" of the off-line phase, is much faster than prior art approaches. 

In the preferred embodiment of the invention, efficient on-line/off-line signature schemes generally 
combine three main ingredients: an efficient (conventional) signature scheme, an efficient differentiating 
function, and an efficient one-time signature scheme. The first ingredient has been described above. 

5 Regarding the second ingredient, preferably the differentiating function is a hashing function H. A function is 
differentiating if it is essentially impossible to find two messages that are mapped to the same value. A one- 
time signature scheme is a signature scheme which is essentially guaranteed to be secure as long as it is 
used only once; i.e., to sign one message only. This means that an adversary (who does not know the 
secret key) cannot forge the signature of a message by just looking at the public key and one previously- 

w signed message. 

Referring now to FIGURE 1, a method for digital signing begins at step 10 wherein the signer selects an 
agreed-upon underlying signature scheme having a key-generation algorithm G, a signing algorithm S, and 
a verification algorithm V. The underlying digital signature scheme can be any of a plurality of known 
signature schemes such as the Rivest, Shamir and Adleman (RSA) scheme. At step 12, the signer runs G 

75 to generate its public key, PK, which is then publicized. The signer keeps the matching secret key, SK, for 
itself. At step 14, the signer selects H as an agreed upon differentiating function which maps arbitrarily long 
messages to n-bit long strings. For example, but not by way of limitation, H can be a differentiating hashing 
function or the identity function. At step 16, the signer selects an agreed-upon one-time signature scheme 
having an agreed-upon one-time key-generation algorithm g, a one-time signing algorithm s, and a one-time 

20 verification algorithm v. The order of steps 10-16 can, of course, be modified by the signer in any 
convenient manner. Likewise, the signer may group one or more steps into a single step. 

Before any message m has been chosen, the signer runs algorithm g at step 18 to randomly select a 
one-time public key pk and its associated secret key sk for one-time signing a n-bit string. At step 20, the 
signer computes the underlying signature of pk using the signing algorithm S: 

25 E = S(p/c,PK,SK). 

Alternatively, the signer may use a predetermined differentiating function to "enrich" (i.e., add to) and/or 
"hash" (i.e., decrease the length of) the public key pk to create an enriched and/or hashed public key prior 
to computing the signature E at step 20. At step 22, the signer stores a "pre-computed signature" (E,p/c,s/c) 
in a suitable storage area. The pre-computed signature represents a data string having a special property. 

30 in particular, for any message "m" later selected to be signed, the signature of the data string can be 
computed substantially faster than the signature of m derived from the matching public and secret keys. 
Steps 10-22 represent a so-called "off-line" phase of the method. Thereafter, an "on-line" phase is initiated 
whenever a message m to be signed is selected at step 24. 

At step 26, the signer proceeds to retrieve the pre-computed signature from memory. At step 28, the 

35 signer may use a predetermined differentiating function to either "enrich" and/or "hash" the message to 
create an "enriched" and/or "hashed" message. For example, if this function is the identity function, step 
28 leaves the message intact If the signer desires to modify the message, however, it can hash the 
message to reduce its size and/or it can enrich the message with a data string (e.g., the public key pk, a 
hashed version of the public key pk, a hashed version of an enriched public key pk, the signature I, data 

40 identifying the signer, data identifying the date of signing, other data or no data) to create the hashed and/or 
enriched message. 

To complete the on-line phase, the signer continues at step 30 by computing a one-time signature o of 
the hashed and/or enriched message H(m) using the signing algorithm s: 
a = s(H(m),pk,sk). 

45 The signature of m is then compiled at step 32 as the data string (E,a). If the signature of m cannot be 
derived from a, the data string compiled at step 32 must include the public key pk as well. 

To verify the signature, the signee uses verification algorithm V and the public key PK at step 34 to 
check whether I is indeed the signature of pk in the underlying one-time digital signature scheme. If so, the 
method continues at step 36 where the signee computes the hashed or enriched message as the case may 

so be. At step 38, the signee runs the one-time verification algorithm v to verify that a is the one-time signature 
of the hashed or enriched message with respect to the one-time public key pk. If so, verification is 
complete. 

The method of FIGURE 1 is highly advantageous because a forger cannot make good use of a chosen 
plaintext attack against the underlying signature scheme, even if one exists. In fact, for any message that 
55 the forger may choose to have signed, the underlying signature scheme will only be used to sign an 
independently-selected and essentially random message, i.e., pk. The forger also cannot mount a chosen 
plaintext attack against the one-time scheme since the method preferably uses a one-time public key only 
once and the scheme is secure if only one message is to be signed. 
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Moreover, a forger cannot easily attack the resulting combined scheme. Assume an adversary (who 
does not know the proper secret key) wants to forge the signature of a message m' never signed before. If 
he wants to use the same one-time public key pk used by the legal signer in the signature (E,a) of a 
previous message m, then he should be able to compute the one-time signature (with respect to pk) of H- 

5 (m ). But if H for example is a differentiating hashing function, H(m') is a different string than H(m). Thus, 
given that the legal signer uses pk only once for one-time signing the string Him), and given that the one- 
time signature scheme is secure, neither a is a valid signature for H(m ) nor can the adversary compute 
such a valid signature. Also, if the adversary first chooses a one-time public key pk' (never used by the 
legal signer before) together with its one-time secret key to compute the one-time signature of H(m ), he will 

io be unable to later conventionally sign pk since the underlying conventional scheme is secure. 

In its basic version, the off-line computation described above does not use the underlying scheme to 
sign "messages," but rather the string "pk". Stated differently, the basic method uses the underlying 
signature scheme purely as a mathematical function mapping strings to strings (or numbers to numbers). 
Neither the message nor anything dependent on the message is fed to the underlying signing function. The 

75 one-time public key is itself selected prior to selecting the message. Furthermore, the effort required by the 
on-line phase is negligible with respect to that of computing a conventional signature. 

In an alternate embodiment of the method set forth in FIGURE 1, step 18 is modified such that 
algorithm g randomly selects a plurality of one-time public keys and their associated secret keys. Step 20 is 
then modified to compute a signature E of the plurality of public keys using the signing algorithm S. Step 

20 30 is also modified to reflect that the signature c is computed with respect to one of the public keys. In this 
manner, a different public key pk (and therefore a different one-time signature scheme) is used for each 
message (or each group of messages) to be signed. 

If the plurality of one-time public keys are too long, they can be hashed using a differentiating function 
prior to being signed, in particular, the signer selects a fixed differentiating function H and generates and 

25 signs a data string H (pkupk2...pk n ). Step 30 of FIGURE 1 would then also be modified to compute the 
signature a of the enriched and/or hashed message, in this embodiment, the data string representing the 
signature of the message includes the plurality of public keys or other data to facilitate verification. 

The disclosed scheme readily lends itself to several other variations. First, because the the differentiat- 
ing function H is used primarily to avoid having two messages mapped to the same bit pattern, any number 

30 of such functions can be used by the signer. As discussed above, at step 28 of FIGURE 1 , the signer may 
hash m together with S instead of pk; alternatively, the signer may choose to hash m alone by computing 
H(m). In either case, step 30 of FIGURE 1 would then be correspondingly changed to reflect computation of 
the signature a of the mapped message H(m,I) or H(m) as the case may be. Moreover, as noted above the 
function H can receive other inputs such as all or part of the public key, the name of the signee or the 

35 current date. Any part of the differentiating function inputs or the final hashed value thereof can also be 
randomly perturbed. 

As also discussed above, the signature (E,a) may contain more than the necessary information to verify 
a valid signature. Signatures can be made shorter by taking out this unnecessary information. For instance, 
the verifier can be provided just a few bits to enable him to reconstruct and check the validity of the 

40 combined signature. Similarly, the length of the pre-computed signature (Z,pk,$k)) can be shortened by 
only remembering I and sk. This variation is especially useful for some one-time signature schemes where 
pk can be easily computed from sk. 

Referring now to FIGURE 2, the preferred embodiment of the on-line/off-line digital signing method of 
the invention is shown. In this embodiment a modification of Rabin's scheme is used as the underlying 

45 digital signature scheme, the well-known DES algorithm is used to build a one-time signature scheme, and 
DES is also used (in a standard way) as the differentiating hashing function. 

For her underlying signature scheme, the signer A begins at step 40 by choosing at random two 
primes, one congruent to 3 mod 8 and the other congruent to 7 mod 8. A keeps the two primes as her 
secret key and, at step 42, publicizes their product, n A , as her public key. Preferably n A is at least 1024-bits 

so long. Given this way of choosing the primes, (or any integer v between 1 and n A and relatively prime with 
n A , exactly one of the values in the set S v = {v,-v mod n, 2v mod n, -2v mod n A } is a square modulo n A , 
Moreover, each square mod n has exactly 4 distinct square roots mod n A . The extended square root of v 
mod n A is defined to be a distinguished square root mod n A (say, the smallest one) of the appropriate 
member of S v . By writing a = BXt y/Ymod n Ai a is the extended square root of v mod n A , Such an a is easy to 

55 compute for the signer A as she knows n A 's prime factorization and is as hard to compute as the 
factorization of n A for anyone else. 

The signer may then sign a message m between 1 and n A and relatively prime with n A by computing 
a- ext y/W. For m larger than n A , as discussed above the signer might first properly reduce the message by 
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computing H'(m) (where h' is a fixed, publicly available differentiating hashing function) and then compute 
its extended square root mod n A . With overwhelming probability, this function is a randomly chosen integer 
between 1 and n A and is relatively prime with n. Anyone can verify that a is a legal signature of m by 
computing a 2 mod n A and then checking to see that it belongs to the set S m . 
5 in step 46, A uses her spare time to produce the concatenation of a plurality of (e.g., 33) DES keys. 
Each key (56-bits long for standard DES) is chosen randomly. Thus, 
$k— /Ci /C2...K33 

will be a one-time secret key. At step 48, A computes the corresponding public key pk as follows: 

p/f=DES 32 (M, Ki)...DES 32 (M,K 33 ) 
70 where M is a standard message, known to alt. Here, DES X ( ,K) means iterating the DES function "x" times 

with the key K. A continues at step 50 by first hashing pk with a differentiating function to generate V and 

then signing the result. A can perform this task reasonably efficiently since she knows the two prime factors 

of n A . Thus: 

v=H(pA) 
75 l = ext VM/notf n A ) 

At step 52, A stores the pre-computed signature (L,v,$k). 

At step 54, a message m is selected for signing. At step 56, A retrieves the pre-computed signature 

(E,v,sk) from memory and then, at step 58, computes the 165-bit string: 

x = H(m,v) = Bi...B33, 

20 the concatenation of 33 blocks, each 5-bits long and thus an integer between 1 and 32. The function "H- 
(m,v)" represents the result of applying the differentiating function H to the strings "m" and "v" together. At 
step 60. she computes the 2112-bit string: 

y = yi...V32V33 ) 

where 

25 

y i «DES 32 " Bi (M,K i ) 

for ... ,32 and 

y 33 -DES 1 33/ <M,K 33 ). 



This completes the signing process. At step 62 the signature comprising (x,£,y) is compiled. To verify the 
35 signature, the signee begins at Step 64 by dividing x into 33 5-bits blocks, 

X = Bl ...B32B33. 

and then, at step 66, computes 

40 p^DES Bl (M,y 1 > ... DES B32 (M,y 32 )DES Bl+ ' ,,+B32 (M,y 33 ), 

v-H(pA). 



At step 68, the signee checks that I is an extended square root of v mod n A ; i.e., that S 2 mod n A is one of 
the four members of S v . This completes the verification of the signature. 

It should be appreciated by those skilled in the art that a number of variants are possible even in the 
preferred embodiment. For instance, and without intending to be exhaustive, rather than DES the signer can 
use another conventional cryptosystem. Also, M may not be a standard message used for all messages; for 
instance, it may be randomly selected in each off-line phase. 

It should be appreciated that the methods described above with respect to FIGURES 1 and 2 are useful 
in many applications. One such application is for microprocessor-based or "smart" card technology wherein 
a credit card or the like includes an appropriate CPU and memory device on the card itself. Typically, the 
card is capable of autonomous computation. It can safely store some data and can safely communicate with 
external devices (e.g. via a card reader). The card is also capable of receiving and checking a persona! 
identification number (PIN) or other type of password For the owners protection, the card disables itself if, 
e.g., the wrong PIN is entered three consecutive times. 

To incorporate the principles of the present invention to smart cards, FIGURE 3 discloses a system for 
allowing authorized users of intelligent cards to effect transactions via at least one transaction terminal 72. 
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The system 70 also includes a plurality of intelligent cards 74a-74n and a loading terminal 76 for loading 
data into the cards. Each of the cards 74 has a body portion 78 on which is supported a memory 80. 
According to the invention, the loading terminal pre-computes a data string x from a pair of matching public 
and secret keys of a digital signature scheme and functions to store this data string in the memory 80 of a 

5 particular card 74. The data string pre-computed (in the off-line phase) by the loading terminal 76 has a 
unique property-for any message m later selected to be signed, a signature of m derived from x can be 
computed substantially faster than the signature of m derived from the matching public and secret keys of 
the digital signature scheme. Each card further preferably includes digital processing means 82 or the like 
for computing a signature of the message m using the data string x. 

io The transaction terminal 72 preferably includes a card handler means 84 for receiving a card inserted 
into the transaction terminal, a card reader means 86 for communicating with the card inserted into the 
terminal and control means 88 for receiving the signature a of the message m computed by the card. The 
control means (which includes a CPU 88a, suitable storage 88b and input/output devices 88c, may also be 
used to formulate a message as will be described below. Alternatively, the transaction terminal 72 may 

15 communicate with a card 74 over a cryptographically-secure communications channel such as a telephone 
line. 

In operation, the owner of the card uses the loading terminal 76 to perform the off-line pre-processing 
for the card; i.e., to compute a signature E of the public key pk of a first digital signature scheme using the 
signing algorithm S of a second digital signature scheme and then to store the signature Z in the memory 

20 of an transaction card. As shown in FIGURE 3, the loading terminal 76 preferably includes a card handler 
77, a card reader 79, and a control means comprising CPU 81a, memory 81b and input/output devices 81c 
to faciliate these tasks. When the card communicates with the loading terminal 76 under a proper, safe 
protocol, the device can transfer to the card a number of pre-computed signatures, which the card safely 
stores inside its memory 80. Moreover, the smart card and the loading device need not be in physical 

25 contact. The exchange of information between the card and the auxiliary device may be effected via a 
communication channel (e.g., a broadcasting channel, telephone lines, computer lines, etc.) protected by a 
safe cryptographic protocol if desired. 

The pre-processed smart cards can then be used as a credit or debit card to effect commercial 
transaction. For example, assume a credit card company keeps the user's public key in a safe public file as 

30 long as the user pays his dues. Alternatively, the company may digitally sign the user's public key and give 
it to the user by storing it inside his card. A shopkeeper has the transaction terminal 74 capable of reading 
the proper public file and safely communicating with the cards. Under PIN protection, and using a safe 
communication protocol, the pre-processed card is inserted into the card handler of the terminal 74 and 
then controlled in the "on-line" manner to digitally sign a message "m" defining a record of a commercial 

35 transaction (e.g., the date, the merchandise sold, the price, and the name of the shop). The signed 
transaction message is then stored in the storage 88b of the transaction terminal and/or transmitted to the 
credit card or other financial institution. 

A transaction processing system such as described above is highly advantageous to both the card 
owner and the shopkeeper. In particular, the card owner is protected (against false charges) because 

40 preferably his PIN must be entered (into the card or the transaction terminal) to sign any message 
representing a valid transaction. Likewise, the shopkeeper is protected because he receives the owner's 
digital signature which is both universally verifiable and unforgeable. The credit card company is also 
protected because a lost or stolen card cannot be used by an illegitimate user (who does not know the 
owner's proper PIN). Moreover, because the transaction does not require personal identification and 

45 verification, the card owner's privacy is protected and the transaction time is significantly reduced. Further, 
the scheme completely obviates carbon copies or other written documentation of the transaction. 

Note that there is no need for the shopkeeper's transaction terminal to reach the credit card company in 
any way to look up the public key of the user. For instance, the credit card company may digitally sign the 
user's public key, and this signature may be kept by the card and communicated to the transaction 

50 terminal. 

The on-line/off-line signature scheme can also be used as an interactive identification scheme as 
follows. Using the preferred embodiment of FIGURE 2, the signer chooses a 512-bit composite integer as 
the public key of the underlying signature scheme, with n = 24, k = 8, and e = 3. In an off-line stage, the 
signer generates the pre-computed signature (E.pk.sk). One then sends E and pk a verifier. The verifier 
55 responds by sending back a randomly chosen 24-bit integer i. The sender then sends the one-time 
signature of i with respect to pk without any hashing. The verifier checks the underlying signature of pk and 
the one-time signature, a, of i with respect to pk. If both are valid the identification is considered successful. 

As noted above, one of the main ingredients of the disclosed method is a "one-time" digital signature 
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scheme. Referring now to FIGURE 4, a method for generating such one-time digital signatures is shown. At 
step 90, f, defined as a one-way function which can be composed with itself, is selected. The function f is 
derived by composing f with itself i times. As a one-way function may not be a permutation, the inverse of f 
may not be defined; therefore, f(x) means any value y such that f(y)=x. By convention, f is a one-way 

5 function if, given V(x)> it is hard to compute f 0+v (x). 

Assume that n denotes the length of the message m ready to be signed. If the original message has 
been enriched with a data string and/or hashed, n will be the length after all prior operations. For simplicity, 
assume n is the product of two integers n=k*e. At step 92, a sequence of randomly selected inputs 
A ,...,/*+* is generated as a one-time secret key. The method continues at step 94 using the one-time secret 

io key and the one-way function f to generate the one-way public key as the sequence Si,...,S/f +? , where 
s/ = f 28 (r,) 
for /=0,...,/cand 

s k+l- fk * 2 '< r k+l>- 



At step 96, a given message m to be one-time signed is secected. The signer then divides the 
message into k segments to obtain k e-bit strings mi ,...,m k . Each string is an integer between 0 and 2 e . 
The one-time signature of m is then computed at step 100 by generating the sequence ai a k+1 , where 

for i=0„..,k and 

a^ +I -f-< k,2e -< m l + ' • * +ra k)) (s k+1 ) . 

25 

To verify the signature, the signee computes: 



30 

for . . . ,k and 

f k*2Mm 1+ ...+m k ) (o k+1 ), 

35 

and checks that the result equals the one-way public key. 

The one-time signature scheme can be generalized into a broader scheme as follows. The method 
begins by selecting a predetermined one-way function f and generating k randomly-selected input strings 

40 as a one-time secret key, where the number of input strings k is less than the length n of the message m. 
Thereafter, the signer applies the one-way function f to the input strings of the one-time secret key to 
generate a one-time public key corresponding to the one-time secret key. To complete the scheme, the 
signer then applies the one-way function f to the input strings of the secret key a predetermined number of 
times x, where x is polynomial in n, to generate a one-time signature of the message relative to the one- 

45 time public key. 

The one-time scheme described above is advantageous as seen by the number of f-evaluations 
required and the length of the signature it produces by the number of f-inputs. In particular, generating the 
one-time keys takes 2k*2 e f-evaluations, 2 e for each of the first k n's and k*2 e for the last one. Signing 
requires exactly k*2 e evaluations. The signature has the same length of K + 1 f-inputs, and the length of the 
50 secret key is k + 1 f-inputs. 

The above analysis of the efficiency of one-time signing refers to the case in which the one-time secret 
key is all that is remembered from the key-generation stage. However, storing intermediate values of the 
powers of f on the n's in the key-generation state subsequently allows faster signing. For instance, if all 
intermediate values are stored, 0 f-evaluations are needed for signing: for any mi, the proper value f m ,(S/)- 
55 = f^fa) is retrieved from memory. If 2 k intermediate values are stored (the middle one for ri,...r k , and k 
equally spaced ones for s k+1 ) signing is twice as fast. 

Because the one-time secret key consists of k + 1 randomly chosen f-inputs, its length can be 
shortened by choosing the f-inputs pseudo-random ly rather than randomly. In particular, a properly short 
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random seed (string) z is chosen and then expanded in a secure and predetermined fashion to generate the 
f-inputs constituting the one-time secret key. 

The one-time digital signature scheme of FIGURE 4 simultaneously exhibits the following two prop- 
erties: 

s 1) The length (in f-inputs) of the one-time signature of a message ready to be signed is shorter than 

the length (in binary) of the ready to be signed message itself, and 

2) The number of f-evaluations is still polynomial in the length of the message ready to be signed. 
Any scheme satisfying both properties is deemed a "well-compressing" one-time signature scheme. For 
example, another well-compressing one-time signature scheme can be obtained by computing m,=m mod 

10 Pi for /=1,...,/c; where the pi's are relatively prime integers whose product is bigger than n. In this 
embodiment, the last f-input should be properly used as a "check sum". 

As will be evident from the above description, the present invention also describes a method to convert 
any ordinary signature scheme, which does not have the on-line/off-line property, into one having it. For 
example, any known digital signature scheme can be used in the off-line phase of the method to compute 

75 the signature L of the one-time public key (of the one-time digital signature scheme). Thus, if the underlying 
scheme is fast, the off-line phase of the transformed scheme will be comparably as fast; however, the on- 
line phase will be much faster. The subject scheme also possesses an additional, novel property; it is 
secure against chosen plaintext attacks even if the underlying signature scheme is not. Indeed, in the 
preferred embodiment, a signature scheme totally unsafe against chosen plaintext attack is used. Because 

20 the disclosed scheme requires a small amount of overhead on top of the effort required by the underlying 
signature scheme, it may be used simply for strengthening a given signature scheme. In fact, the scheme 
may also be used once the underlying scheme has already been made on-line/off-line according to the 
invention. 

It should be appreciated by those skilled in the art that the specific embodiments disclosed above may 
25 be readily utilized as a basis for modifying or designed other structures for carrying out the same purposes 
of the present invention. It should also be realized by those skilled in the art that such equivalent 
constructions do not depart from the spirit and scope of the invention as set forth in the appended claims. 



30 Claims 

1 . A method for enabling a single signer to generate a digital signature of a message using first and 
second digital signature schemes, each of the digital signature schemes having a key generation algorithm 
for generating a pair of matching public and secret keys, a signing algorithm which uses the pair of 

35 matching public and secret keys to produce a signature with respect to the public key, and a verification 

algorithm for determining whether the signature produced by the signing algorithm is valid with respect to 

the public key, comprising the steps of: 

(a) computing a signature E of the public key pk of the first digital signature scheme using the 

signing algorithm S of the second digital signature scheme; and 
40 (b) computing a signature a of the message using the signing algorithm s of the first digital signature 

scheme to generate a digital signature of the message "m", the digital signature comprising a data string 

(E,a). 

2. The method for generating a digital signature as described in Claim 1 further including the steps of 
enriching the message with a data string to create an enriched message and applying a predetermined 

45 differentiating function H to the enriched message prior to computing the signature a. 

3. The method for generating a digital signature as described in Claim 1 further including the step of 
enriching the public key with a data string to create an enriched public key prior to computing the signature 
£. 

4. The method for generating a digital signature as described in Claim 2 wherein the predetermined 
so differentiating function is the identity function. 

5. The method for generating a digital signature as described in Claim 2 wherein the predetermined 
differentiating function is a hashing function and the data string includes one or more of the following: the 
public key pk, a hashed version of the public key pk, a hashed version of the public key pk enriched with a 
data string, the signature E, data identifying the signer, data identifying the date of signing, other data or no 

55 data. 

6. The method for generating a digital signature as described in Claim 1 wherein the first digital 
signature scheme is a one-time scheme having a one-time key generation algorithm g, a one-time signing 
algorithm s and a one-time verification algorithm v. 
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7. A method for generating and verifying digital signatures using one or more one-time digital signature 
schemes and a second digital signature scheme, each of the digital signature schemes having a key 
generation algorithm for generating a pair of matching public and secret keys, a signing algorithm which 
uses the pair of matching public and secret keys to produce a signature with respect to the public key, and 
a verification algorithm for determining whether the signature produced by the signing algorithm is valid with 
respect to the public key, comprising the steps of: 

(a) computing a signature I of the public key pk of one of the one-time digital signature schemes 
using the signing algorithm S of the second digital signature scheme; 

(b) storing a data string in a storage area, the data string comprising a pre-computed signature which 
includes the signature Z of the public key pk of the one-time digitai signature scheme; 

(c) selecting a message m to be signed; 

(d) using a predetermined differentiating function H to map the message into a mapped message; 
{e) computing a signature a of the mapped message using the signing algorithm s of the one-time 

digital signature scheme used in step (a); and 

(f) compiling a data string (E.a) representing a signature of the message m. 

8. The method for generating and verifying digital signatures as described in Claim 7 further including 
the step of: 

(g) repeating steps (a)-(f) using a different one-time digital signature scheme for each message 
selected to be signed. 

9. The method for generating and verifying digital signatures as described in Claim 7 further including 
the steps of: 

(h) using the verification algorithm V of the second digital signature scheme to determine whether the 
signature I is the signature of the public key pk in the one-time digital signature scheme; 

(i) if the signature Z is the signature of the public key pk, using the predetermined differentiating 
function to generate the mapped message; and 

(j) using the verification algorithm v of the one-time digital signature scheme used in step (a) to verify 
that the signature a is the one-time signature of the mapped message. 

10. The method for generating and verifying digital signatures as described in Claim 7 wherein the pre- 
computed signature includes the secret key sk of the one-time digital signature scheme. 

1 1 . A method for generating digital signatures using a one-time digital signature scheme and a second 
digital signature scheme, each of the digital signature schemes having key generation algorithm for 
generating a pair of matching public and secret keys, a signing algorithm which uses the pair of matching 
public and secret keys to produce a signature with respect to the public key, and a verification algorithm for 
determining whether the signature produced by the signing algorithm is valid with respect to the public key, 
comprising the steps of: 

(a) enriching the public key pk of the one-time signature scheme and using a predetermined 
differentiating function H to map the enriched public key into a data string H (pk); 

(b) computing a signature E of the data string H (pk) using the signing algorithm S of the second 
digital signature scheme; 

(c) selecting a message m to be signed; 

(d) enriching the message and using a predetermined differentiating function H to map the enriched 
message and the data string H (pk) into a data string H(m,H'(pk)); 

(e) computing a signature a of the data string H(m,H (pk)) using the signing algorithm s of the one- 
time digital signature scheme; and 

(f) compiling a data string (E,a) representing a signature of the message m. 

12. A method for generating digital signatures as described in Claim 11 further including the step of: 

(g) repeating steps (a)-(f) using a different one-time digital signature scheme for each message 
selected to be signed. 

13. A method for enhancing the security of a known digital signature scheme which may be subject to 
an adaptive chosen plaintext attack, the known digital signature scheme having a key generation algorithm 
G for generating a pair of matching public and secret keys (PK,SK), a signing algorithm S which uses the 
pair of matching public and secret keys to produce a signature with respect to the public key PK, and a 
verification algorithm V for determining whether the signature produced by the signing algorithm is valid 
with respect to the public key PK, comprising the steps of: 

(a) running a key generation algorithm g of a one-time digital signature scheme to generate a one- 
time public key pk and its associated one-time secret key sk; 

(b) computing a signature E of the public key pk of the one-time digital signature scheme using the 
signing algorithm S of the known digital signature scheme; 
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(c) storing a data string in a storage area, the data string comprising a pre-computed signature which 
includes the signature I of the public key pk of the one-time digitai signature scheme; 

(d) selecting a message m to be signed; (e) using a predetermined differentiating function H to map 
the message into an enriched message; 

s (f) computing a signature o of the enriched message using the signing algorithm s of the one-time 

digitai signature scheme; and 

(g) compiling a data string (E,a) representing a signature of the message m. 
14. The method for enhancing the security of a known digital signature scheme as described in Claim 
13 wherein the known digital signature scheme is the Rivest, Shamir and Adleman (RSA) scheme. 
70 15. A method for on-line/off-line digital signing, comprising the steps of: 

(a) pre-computing a data string x from a pair of matching public and secret keys of a digital signature 
scheme such that for any message m later selected to be signed, a signature of m derived from x can be 
computed substantially faster than the signature of m derived from the matching public and secret keys; 

(b) selecting a message m to be signed; 

75 (c) computing a signature a of the message m using the data string x. 

16. The method for on-line/off-line signing as described in Claim 15 wherein steps (a) and (c) are 
carried out by the same signer. 

17. The method for on-line/off-line signing as described in Claim 15 wherein steps (a) and (C) are 
carried out by a different signer. 

20 18. The method for on-line/off-line signing as described in Claim 15 wherein step (a) is run to generate 
a new data string for each message m to be signed. 

19. The method for on-line/off-line signing as described in Claim 16 wherein each data string includes a 
different pair of matching public and secret keys. 

20. A method for generating a digital signature of a message using first and second digital signature 
25 schemes, each of the digital signature schemes having a key generation algorithm, a signing algorithm and 

a verification algorithm, comprising the steps of: 

(a) running the key generation algorithm g of the first digital signature scheme to generate a plurality 
of public keys and their associated secret keys; 

(b) computing a signature £ of the plurality of public keys of the first digital signature scheme using 
30 the signing algorithm S of the second digital signature scheme; 

(c) storing a data string in a storage area, the data string comprising a pre-computed signature which 
includes the signature I of the plurality of public keys of the first digital signature scheme; 

(d) selecting a message m to be signed; 

(e) using a predetermined differentiating function H to map the message into a data string H(m); 

35 (f) computing a signature a of the data string H(m) with respect to one of the public keys pk of the 

first digitai signature scheme using the signing algorithm s of the first digital signature scheme; and 
(g) compiling a data string (I,c) representing a signature of the message m. 

21 . The method for generating a digital signature as described in Claim 20 wherein steps (d)-(g) are 
repeated using a different public key of the first digital signature scheme for each message to be signed. 

40 22. The method for generating a digital signature as described in Claim 20 further including the step of 
hashing the plurality of public keys prior to computing the signature Z. 

23. The method for generating a digital signature as described in Claim 22 wherein the data string 
includes the plurality of public keys to enable verification of the signature a. 

24. A method for generating a one-time digital signature of a message ready to be signed, the message 
45 having a length n, comprising the steps of: 

(a) selecting a predetermined one-way function f which can be composed with itself; 

(b) generating k randomly-selected input strings as a one-time secret key, where the number of input 
strings k is less than the length n of the message m; 

(c) applying the one-way function f to the input strings of the one-time secret key to generate a one- 
50 time public key corresponding to the one-time secret key; and 

(d) applying the one-way function f to the input strings of the secret key a predetermined number of 
times x, where x is polynomial in n, to generate a one-time signature of the message relative to the one- 
time public key. 

25. The method for generating a one-time digitai signature as described in Claim 24 wherein the input 
55 strings of the one-time secret key are selected in a psuedo-random manner. 

26. A method for generating a one-time digital signature of a message ready to be signed, the message 
having a length n which is less than or equal to the product (ek) where e and k are integers, comprising the 
steps of: 
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(a) selecting a predetermined one-way function f which can be composed with itself; 

(b) generating a sequence of randomly-selected inputs as a one-time secret key; 

(c) using the predetermined one-way function f and the one-time secret key to generate a sequence 
Su-.sSk + i as a one-time public key, where 

for i«0, . . .,k and 

s k+l- fk ' 2 '< r k+l>'* 

(d) selecting a message m to be signed; 

(e) dividing the message m into k segments to obtain k e-bit strings n?i ,...,/77 kl each of the strings 
being an integer between 0 and 2 e ; and 

(f) generating a one-time signature of the message m comprising the sequence ,.. M ak + 1 , where 

a r f- w i(s.) 

for i**0 f . . * and 

^ + I- f " (k#2 ^ (mi+ - # - +mk>> < s k+l)* 



27. A card for use in effecting transactions, comprising: 
a body portion; 

a memory within said body portion for storing a data string x pre-computed from a pair of matching public 
and secret keys of a digital signature scheme such that, for any message m later selected to be signed, a 
signature of m derived from x can be computed substantially faster than the signature of m derived from 
the matching public and secret keys; and 

means for computing a signature a of the message m using the data string x. 

28. A card for use in effecting transactions, comprising: 
a body portion; 

a memory within said body portion for storing a signature I, the signature I being the digital signature of a 
public key pk of a first digital signature scheme derived by a signing algorithm S of a second digital 
signature scheme; and 

means within the body portion for computing a signature a of a transaction data message using a signing 
algorithm s of the first digital signature scheme. 

29. A system for allowing authorized users of transaction cards to effect transactions via at least one 
transaction terminal, comprising: 

a plurality of said cards, each of the cards having a memory for storing a data string x pre-computed from a 
pair of matching public and secret keys of a digital signature scheme such that, for any message m later 
selected to be signed, a signature of m derived from x can be computed substantially faster than the 
signature of m derived from the matching public and secret keys, each card further including means for 
computing a signature a of the message m using the data string x; and 

at least one transaction terminal having means for communicating with the card and for receiving the 
signature a of the message m computed by the card. 

30. The system for allowing authorized users of transaction cards to effect transactions as described in 
Claim 29 wherein the transaction terminal further includes means for generating the message m. 

31. A system for allowing authorized users of transaction cards to effect transactions via at least one 
transaction terminal, comprising: 

a plurality of said intelligent cards, each of the cards having stored therein a signature I representing the 
digital sign of a public key pk of a first digital signature scheme derived by a signing algorithm S of a 
second digital signature scheme, each of the cards further including means for computing a signature a of a 
transaction data message using a signing algorithm s of the first digital signature scheme and means for 
storing a data string (E,a); and 
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at least one transaction terminal having means for receiving a card inserted into the transaction terminal, 
means for communicating with the card inserted into the terminal and means for receiving the signature a of 
the message m computed by the card. 

32. A terminal for loading data into transaction cards to be used with at least one transaction terminal, 
5 each card having a memory therein, comprising: 

means for computing a data string x pre-computed from a pair of matching public and secret keys of a 
digital signature scheme such that, for any message m later selected to be signed, a signature of m derived 
from x can be computed substantially faster than the signature of m derived from the matching public and 
secret keys; and 

10 means for storing the data string x in the memory of an transaction card. 

33. A terminal for loading data into transaction cards to be used with at least one transaction terminal, 
each card having a memory therein, comprising: 

means for computing a signature E of the public key pk of a first digital signature scheme using the signing 
algorithm S of a second digital signature scheme; and 
75 means for storing the signature I in the memory of an transaction card. 
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SIGNER SELECTS AGREED-UPON 
UNDERLYING SIGNATURE SCHEME 
HAVING A KEY-GENERATION 
ALGORITHM G, A SIGNING, 

ALGORITHM S AND A 
VERIFICATION ALGORITHM V 



I 



SIGNER RUNS G TO GENERATE 
MATCHING SECRET AND PUBLIC 
KEYS (SK, PK) 



SIGNER SELECTS H AS AN 
AGREED-UPON DIFFERENTIATING 
FUNCTION 



SIGNER SELECTS AGREED-UPON 
ONE-TIME SIGNATURE SCHEME 
HAVING A KEY-GENERATION 
ALGORITHM g, A SIGNING 

ALGORITHM s AND A 
VERIFICATION ALGORITHM v 



I 



SIGNER RUNS g TO RANDOMLY 
SELECT A ONE-TIME PUBLIC KEY 
pk AND ITS ASSOCIATED SECRET 
KEY sk 



I 



SIGNER COMPUTES UNDERLYING 
SIGNATURE OF pk USING THE 
SIGNING ALGORITHM S 



I 



SIGNER STORES "PRE-COMPUTED" 
SIGNATURE (E, pk, sk) 



FIG. 1 
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SIGNER GENERATES ENRICHED 
AND/OR HASHED MESSAGE 
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SIGNER COMPUTES A ONE-TIME 
SIGNATURE tr OF THE ENRICHED 
AND/OR HASHED MESSAGE USING 
THE SIGNING ALGORITHM s 
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SIGNATURE OF m IS THEN 
COMPILED AS THE DATA STRING 



SIGNEE USES VERIFICATION 
ALGORITHM V AND THE PUBLIC 
KEY PK TO CHECK WHETHER I 
IS THE SIGNATURE OF pk IN 
THE UNDERLYING ONE-TIME 
DIGITAL SIGNATURE SCHEME 
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SIGNEE COMPUTES ENRICHED 
AND/OR HASHED MESSAGE 
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SIGNEE RUNS THE ONE-TIME 
VERIFICATION ALGORITHM v TO 
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